ninjamiefandomcom-20200214-history
WildFire
'Wildfire is a feature that allows users to submit files to the Palo Alto Networks secure, cloud-based, virtualized environment where they are automatically analyzed for malicious activity.' 'WildFire '''provides detection and prevention of zero-day malware using a combination of malware sandboxing, signature-based detection and blocking of malware. Uses Palo Alto Networks App-ID technology by identifying file transfers within all applications to expose zero-day malware. The firewall can provide instant alerts whenever malware is detected on your network by sending email alerts, syslog alerts, or SNMP traps. This allows you to quickly identify the user who downloaded the malware and eradicate it before it causes damage or propagates to other use Configure a file '''blocking profile' to enable the firewall to forward samples to WildFire for analysis, in order to gain visibility in zero-day malware. No subscription is required for sandboxing files sent from Palo Alto Networks firewalls to the WildFire cloud. Threat Prevention and/or WildFire subscription is required to perform detection and blocking of unknown malware after the malware has been detect by WildFire. WildFire Subscription: *''WildFire Dynamic Updates ''- Provides new malware signatures on a sub-hourly basis. **Within an hour of detecting new malware, WildFire creates a new malware signature and distributes it through the WildFire dynamic updates to make the signature available to all WildFire subscribers. **If only have threat prevention subscription, signatures are rolled into the antivirus upates which occurs about every 24-48 hours. *''Integrated WildFire Logs ''- Full anaylsis report from WildFire system. Allows you to configure SNMP, syslog, email alerts, and forwarding to Panorama. *''WildFire API'' - Used to submit files to the WildFire cloud and to retrieve reports for the submitted files. **Supports up to 100 file submissions per day and up to 1000 queries per day. **NOTE you cannot use the WildFire API to submit files to WildFire Appliance. *''WildFire Appliance'' - Enables on-premises sandboxing of malware. **Able to forward files to a WildFire appliance for analysis. **If only have Threat Prevention subscription, can forward files to WildFire Cloud only. Threat Prevention subscription: *Enables the firewall to receive daily antivirus signature update, which provides coverage for all malware samples detected by WildFire globally to all customers with a Threat Prevention subscription. *Provides weekly conent updates that include new vulnerability protection and anti-spyware signatures. *''WildFire Cloud'' - the firewall forwards files to the hosted WildFire environment that is owned and maintained by Palo Alto Networks for signature generation. **https://willdfire.paloaltonetworks.com WF-500 WildFire Appliance: *Provides an on-premises WildFire private cloud, enabling you to analyze suspicisous files in a sandbox environment without requiring the files to be sent outside of the network. 'Wildfire Configuration:' https://live.paloaltonetworks.com/docs/DOC-3252 'STEP 1:' Device -> Setup -> Wildfire (tab) -> general settings *'WildFire Server': default-cloud *'Maximum File Size (MB)': 2'' 'STEP 2: Device -> Setup -> WildFire (tab) -> Session Information Settings *Specify the information to be forwarded to the WildFire Server: **by default, all the options are selected but they are not all required for WildFire to work. '''STEP 3: Objects -> Security Profiles -> File Blocking #add a rule Name #'Application:' any #'File types:' Select the file types exe, dll #'Direction': select the direction of the file transfer (upload, download, or both) #'Action:' Select the action taken when the selected file types are detected; forward ''(the file is automatically sent to WF) 'STEP 4: Policy -> Security -> add to rule on when WildFire protection should be applied. *Commit '''To view WildFire Logs: Monitor -> Logs -> Wildfire *data filtering logs can be used to check the status of the file *Not every download is visible in the Dashboard reports. The WildFire Dashboard reports will remain blank until an unknown file is uploaded to the cloud ACTIONS: *'Forward' = Data plane detected a Potentially Executable file on a Wildfire-enabled policy. The file is buffered in the management plane. **If you only see "forward" with NO "wildfire-upload-success" or "wildfire-upload-skip", means that it is either signed by a trusted file signer, OR it is benign sample that the cloud has already seen. ***No further action is performed on te file and no further information is sent to the cloud. No entry in the Wildfire web prortal for these files. *'Wildfire-upload-success' = Means the the file wasn't signed by a trusted signer, and the file hasn't yet been seen by the cloud. The file and session info was uploaded to the cloud for analysis. *'Wildfire-upload-skip' = Means the file was already seen by the cloud, but the file was CONFIRMED TO BE MALWARE. The device skips the file but still sends the session info for logging purposes. 'WildFire Portal': To access the WildFire portal, go to https://wildfire.paloaltonetworks.com and login using your Palo Alto Networks credentials or WIldFire Account. *The portal opens to display the dashboard **lists summary report information for all of the firewalls associated with the specific WildFire account or support account. Includes files that have been uploaded manually. **Display includes the number of analyzed files and indicates how many are infected with Malware, Benign, or pending analysis. CLI Commands: > show wildfire disk-usage > debug wildfire dp-status